I would never use an online password manager. That's just asking for it IMO. There are a number of good desktop programs folks can use. Password Safe was originally written by Bruce Schneier, a rather well-known cryptographer. He's since handed it off to others, but the program is still open source so anyone can see how it works, and it can therefore be validated not to have nasty surprises buried in it.
Personally, I use Keepass2, but it's a Linux program. Also open source and can read a Password Safe database. As long as you have a nicely complex and reasonably long passphrase for your password manager, you should be OK.
LastPass says this means:
1. All encryption and decryption happens on your computer.I also do two other things to make it safe: I use a long, tough passphrase AND I use two-factor authentication with a physical YubiKey.
When you create your LastPass account, an encryption key is created on your computer (your Master Password, or MP, and email go through a complex, irreversible process known as hashing to form your encryption key). Any sensitive data you then save to your account is ‘locked up’ by the encryption key while still on your computer, then sent in encrypted form to LastPass’ server.2. The sensitive data that is harbored on our servers is always encrypted before it’s sent to us, so all we receive is gibberish.
Since the encryption key is locally created each time you submit your MP and email, all that we store and have access to on our servers is your encrypted data. Without your unique encryption key, your sensitive data is meaningless gibberish. Even if someone were to mandate that we provide a copy of our database, the data would still be unreadable without your encryption key.3. We never receive the key to decrypt that data.